Sunday, March 21, 2010

That's the headline to this article from CNN. I was a bit shocked to see it. The triggering event for that article was the arrest of three men who appear to have operated the 13 million computer "Mariposa" botnet. I would have expected that taking down such a significant* botnet would be followed by multiple rounds of self-congratulation, rather than questions about the value of the whole enterprise. However, according to the article

the whole get-the-bad-guys effort, while it makes for good drama, is a futile way to secure the Internet, some computer security experts say.

"The virus writers and the Trojan [horse] writers, they're still out there," said Tom Karygiannis, a computer scientist and senior researcher at the National Institute of Standards and Technology. "So I don't think they've deterred anyone by prosecuting these people."

...

It would be smarter, Karygiannis said, to develop new anti-virus technologies and to teach people how to protect themselves from Internet crime.

To my mind, the sentiment reflected in the above quote is simply wrong.

First, Karygiannis' proposed alternatives are, at best, highly imperfect solutions. With respect to user education, I suspect Karygiannis has underestimated how difficult user education actually is, though, given that it's common knowledge that people still fall for Nigerian email scams (see, e.g., here), I don't know why he would. Further, even if user education were perfect, it's not at all clear how it would protect against malware which spreads by exploiting vulnerabilities in legitimate software. Indeed, Mariposa itself has been observed to spread through vulnerabilities in Internet Explorer 6 (among other vectors, described here), so even the specific botnet addressed in the article provides a counterexample to the proposition that user education is some kind of panacea. With respect to better anti-virus technologies, technical protection mechanisms are certainly helpful, but they too aren't a panacea. Better anti-virus protection is nice, but the people writing malware aren't dummies, and they constantly improve their products to address advances in security technology. A great example of how this works is Conficker, a malware program whose "unknown authors are ... believed to be tracking anti-malware efforts from network operators and law enforcement and have regularly released new variants to close the worm's own vulnerabilities" (via Wikipedia).

Second, with respect to Karygiannis' comment that "I don't think they've deterred anyone by prosecuting these people," to the extent that comment is meant literally - that cybercriminals, as a class, are immune to the deterrent effect of criminal prosecution, it seems unbelievable. That's especially true since the arrests related to the Mariposa botnet are only part of a series of well publicized law enforcement actions against cybercriminals (for example, the recommended 25 year sentence for computer hacker Albert Gonzalez, described in this article). Further, even if it were true that prosecution of cybercriminals had no deterrent effect whatsoever, it would still have the effect of preventing the particular cybercriminals who had been prosecuted from committing further crimes. This effect, referred to as incapacitation, is something that has been well studied and documented with respect to other types of crimes (e.g., here), and there is no reason why it shouldn't apply to cybercrime as well.

The bottom line is that punishment of cybercriminals is a necessary part of our collective defense against cybercrime. To simply focus on user education and technical protection mechanisms, while those are important tools, would do nothing to address the source of these crimes.

*Determining the actual size of botnets is, to put it mildly, an inexact science. For example, this article about the size of the "Kraken" botnet pointed out that the controversy regarding Kraken's size was not limited to how many machines it controlled, but also reached more basic questions, such as whether Kraken was really separate from the older "Bobax" botnet. However, regardless of how botnet size is counted, Mariposa is undeniably huge (by comparison, Kraken was estimated at 400,000 machines - several orders of magnitude smaller than Mariposa).

So, was Netflix wrong to give out the data it included in the second contest? Well, the second contest indicated what movies people had watched, and what ratings they had been given. The people weren't identified by name, but their ZIP codes, ages and gender, were provided. As it happens, there is an 87% chance that, if you have someone's birth date, zip code, and gender, you can uniquely identify that person (as related in this article, also from threat level). Does that mean Netflix's second contest ran afoul of the law? Well, it was settled, so we don't know what a court will say. However, it was certainly a significant enough risk that Netflix decided to cancel the well-publicized sequel to its earlier successful efforts, which probably means that Netflix made a bit too much public.

Now that it's all over, given the benefit of 20/20 hindsight, what should Netflix have done with the second contest? Well, from a conservative standpoint, it could probably have avoided the type of privacy complaints that came up if, instead of just removing names, it had followed the anonymization guidelines provided for medical research on human subjects (a good summary of which can be found here). That has the benefit of being the gold standard for data anonymization, and also including specific items to exclude, including the zip codes included in Netflix's data set.

Sunday, March 7, 2010

Is HIPAA meaningful? For a long time, the answer to that question was arguably no. The date for compliance with the privacy rules was April 14, 2003, and the date for compliance with the security rule was two years later (the HIPAA Wikipedia entry has a good summary of this history). Nevertheless, it wasn't until 2007 that the first HIPAA audit took place (see here), and the lack of enforcement led many to believe that HIPAA was basically toothless (see, e.g., here).

Now though, that may be changing. One of the notable features of the HITECH act was that it gave state attorneys general the right to file suit on behalf of state residents who have been harmed by a HIPAA violation (the text of the act can be found here). Since then, the attorney general of Connecticut has taken advantage of that new authority, and filed suit against Health Net Connecticut, Inc. for HIPAA violations (among other things). The press release is here, and the complaint can be found here. Does this herald a new era of aggressive HIPAA enforcement? I tend to think not. The HITECH act limits the amount of damages recoverable by attorneys general to $25,000 per calendar year for violations of any individual requirement or prohibition, so HIPAA enforcement isn't going to be a panacea for states which already have limited enforcement budgets. On the other hand, there has already been one suit, and if an attorney general is already thinking about bringing an action (e.g., under some applicable state law), the extra HIPAA recovery could make the difference in whether a suit is brought. Either way though, with the Connecticut attorney general's action, the era of absent HIPAA enforcement is officially closed.

Contributors

Other Sites

Privacy Statement

The authors value the privacy of their blog viewers. This site does not currently collect personal identifying information ("PID"), except: (1) to the extent that your browser provides PID, like your e-mail address or the site you linked from, to this site's server; (2) to the extent that you provide PID to this site in an e-mail; and (3) to the extent that you provide PID to this site in a CGI form (for example, when you complete a search request on this site’s “Search this Site” search feature. Your PID will be used only for the specific purpose for which you submitted the PID, except that it may be used in an aggregated form to gauge the popularity of this site. "Cookies" are pieces of information that some web sites transfer to the computer that is browsing that web site, and are used for record-keeping purposes at many web sites. Use of Cookies performs certain functions such as saving your passwords, lists of potential purchases, and your personal preferences regarding your use of the particular web site. This site uses Cookies to gather anonymous traffic data. Your browser is probably set to accept Cookies. However, if you would prefer not to receive Cookies, you can alter the configuration of your browser to refuse Cookies. This site contains links to other sites. The authors and their employers do not share your personal information with those sites and are not responsible for their privacy policies. We encourage you to learn about the privacy policies of those entities. Children under 13 years old are not the target audience of this site. To protect their privacy, the authors prohibit the solicitation of personal information from these children. The authors reserve the right to change this Privacy Policy at any time by posting a new privacy policy at this location. You can e-mail any further questions to wmorriss@fbtlaw.com.

Disclaimer

This site is provided for informational purposes only. The views expressed herein are solely those of the authors and should not be attributed to their employer or their clients. These materials do not constitute legal advice and do not create an attorney-client relationship between you and us. Please note that you are not considered a client until you have signed a retainer agreement and your case has been accepted by us. This site should not be used as a substitute for competent legal advice from a licensed professional attorney in your state. Got it? THIS SITE IS "AS IS." WE MAKE NO REPRESENTATIONS AS TO THE ACCURACY, TIMELINESS OR COMPLETENESS OF THE STUFF HERE AND YOU SHOULD NOT RELY UPON IT. USE AT YOUR OWN RISK. WE EXPRESSLY DISCLAIM ALL WARRANTIES. This may be an advertisement. Your mileage may vary. Past performance does not guarantee future returns. Do not run with scissors.
NOTE: This disclaimer is largely taken from the established and extremely well written blog Patent Baristas.